Enforce read-only mode for Teradata

[arbll]

Summary

This PR enforces read-only mode for Teradata connections to prevent data modification through custom queries.

Motivation

Custom queries can execute write operations, posing a security risk. This change enforces read-only mode at the database connection level.

Approach

Added a hidden enforce_readonly_queries setting (defaults to true) that uses Teradata's STARTUP SQL feature to execute SET SESSION CHARACTERISTICS AS TRANSACTION READ ONLY at connection time in check.py:74. When enabled, all queries cannot perform write operations.

Testing

Added 4-phase e2e test that verifies read/write behavior with enforcement enabled/disabled. Purely outcome-based verification (row counts, metrics).

Tradeoffs

The setting is hidden from users but can be disabled for testing. Provides security by default with minimal configuration surface.

[github-actions]

⚠️ Major version bump
The changelog type changed or removed was used in this Pull Request, so the next release will bump major version. Please make sure this is a breaking change, or use the fixed or added type instead.

[datadog-official]

⚠️ Tests

✨ Fix all issues with Cursor

⚠️ Warnings

🧪 2 Tests failed

test_e2e from test_e2e.py (Datadog) (Fix with Cursor)

Regex pattern did not match.
 Regex: 'Hostname lookup failed'
 Input: 'Message: Unable to parse JSON connection parameters\n at gosqldriver/teradatasql.formatError ErrorUtil.go:101\n at gosqldriver/teradatasql.ParseConParams ConParams.go:193\n at main.parseParams goside.go:233\n at main.goParseParams goside.go:225\n at _cgoexp_c43d071e9719_goParseParams _cgo_gotypes.go:231\n at runtime.cgocallbackg1 cgocall.go:446\n at runtime.cgocallbackg cgocall.go:350\n at runtime.cgocallback asm_amd64.s:1082\n at runtime.goexit asm_amd64.s:1693\nCaused by json: unknown field "startup"\nTraceback (most recent call last):\n  File "/home/datadog_checks_base/datadog_checks/base/checks/base.py", line 1316, in run\n    self.check(instance)\n    ~~~~~~~~~~^^^^^^^^^^\n  File "/home/teradata/datadog_checks/teradata/check.py", line 70, in check\n    raise e\n  File "/home/teradata/datadog_checks/teradata/check.py", line 63, in check\n    with self.connect() as conn:\n         ~~~~~~~~~~~~^^\n  File "/opt/datadog-agent/embedded/lib/python3.13/contextlib.py", line 141, in __enter__\n    return next(self.gen)\n  File "/home/teradata/datadog_checks/teradata/check.py", line 148, in connect\n    raise e\n  File "/home/teradata/datadog_checks/teradata/check.py", line 143, in connect\n    conn = teradatasql.connect(self._connect_params)\n  File "/opt/datadog-agent/embedded/lib/python3.13/site-packages/teradatasql/__init__.py", line 212, in __init__\n    raise OperationalError (sErr)\nteradatasql.OperationalError: Unable to parse JSON connection parameters\n at gosqldriver/teradatasql.formatError ErrorUtil.go:101\n at gosqldriver/teradatasql.ParseConParams ConParams.go:193\n at main.parseParams goside.go:233\n at main.goParseParams goside.go:225\n at _cgoexp_c43d071e9719_goParseParams _cgo_gotypes.go:231\n at runtime.cgocallbackg1 cgocall.go:446\n at runtime.cgocallbackg cgocall.go:350\n at runtime.cgocallback asm_amd64.s:1082\n at runtime.goexit asm_amd64.s:1693\nCaused by json: unknown field "startup"\n'

test_enforce_readonly_queries_setting from test_e2e.py (Datadog) (Fix with Cursor)

[Version 17.10.0.12] [Session 0] [Teradata SQL Driver] Hostname lookup failed for None
 at gosqldriver/teradatasql.formatError ErrorUtil.go:82
 at gosqldriver/teradatasql.(*teradataConnection).makeDriverError TeradataConnection.go:799
 at gosqldriver/teradatasql.(*nameLookup).getAddresses CopDiscovery.go:95
 at gosqldriver/teradatasql.discoverCops CopDiscovery.go:177
 at gosqldriver/teradatasql.newTeradataConnection TeradataConnection.go:149
 at gosqldriver/teradatasql.(*teradataDriver).Open TeradataDriver.go:32
 at database/sql.dsnConnector.Connect sql.go:761
 at database/sql.(*DB).conn sql.go:1395
 at database/sql.(*DB).Conn sql.go:1928
...

ℹ️ Info

❄️ No new flaky tests detected

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b6c09ad | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[codecov]

Codecov Report

❌ Patch coverage is 53.84615% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.03%. Comparing base (bbfe5e9) to head (b6c09ad).
⚠️ Report is 16 commits behind head on master.

Additional details and impacted files

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arbll]

Closing for now, was exploring.